| 13051 |
2023-05-23 17:24
|
 1.exe cc09bb37daeedc24a5029612658ffb7e
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13052 |
2023-05-23 17:22
|
 Zhazpwadddz.exe 24781c1e54454da853bef89a12b65975
RAT .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13053 |
2023-05-23 17:21
|
 bld_3s.exe 44b65c0e74a1c608b202a663318f966d
Emotet PWS .NET framework Loki_b RAT UPX OS Processor Check .NET EXE PE File PE32 VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Windows ComputerName DNS Cryptographic key |
15
http://94.142.138.111/concerts/2.php - rule_id: 32678
http://94.142.138.111/concerts/13.php - rule_id: 32689
http://94.142.138.111/concerts/10.php - rule_id: 32686
http://ip-api.com/json/
http://94.142.138.111/concerts/9.php - rule_id: 32685
http://94.142.138.111/concerts/11.php - rule_id: 32687
http://94.142.138.111/concerts/8.php - rule_id: 32684
http://94.142.138.111/concerts/6.php - rule_id: 32682
http://94.142.138.111/concerts/4.php - rule_id: 32680
http://94.142.138.111/concerts/1.php - rule_id: 32677
http://94.142.138.111/concerts/12.php - rule_id: 32688
http://94.142.138.111/concerts/7.php - rule_id: 32683
http://94.142.138.111/concerts/5.php - rule_id: 32681
http://ipwhois.app/xml/
http://94.142.138.111/concerts/3.php - rule_id: 32679
|
5
ipwhois.app(103.126.138.87)
ip-api.com(208.95.112.1)
103.126.138.87
94.142.138.111 - malware
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
13
http://94.142.138.111/concerts/2.php
http://94.142.138.111/concerts/13.php
http://94.142.138.111/concerts/10.php
http://94.142.138.111/concerts/9.php
http://94.142.138.111/concerts/11.php
http://94.142.138.111/concerts/8.php
http://94.142.138.111/concerts/6.php
http://94.142.138.111/concerts/4.php
http://94.142.138.111/concerts/1.php
http://94.142.138.111/concerts/12.php
http://94.142.138.111/concerts/7.php
http://94.142.138.111/concerts/5.php
http://94.142.138.111/concerts/3.php
|
5.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13054 |
2023-05-23 17:20
|
 vbc.exe 7457fdd20c567bd3c20e7be6ee044726
Generic Malware UPX Malicious Library Malicious Packer PE File PE32 OS Processor Check DLL PE64 PNG Format VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.6 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13055 |
2023-05-23 17:18
|
 buggzx.exe a29fb824aaf242efc1f4d4527c2e8a0a
Loki Loki_b Loki_m PWS .NET framework Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://185.246.220.60/bugg/five/fre.php - rule_id: 33487
|
1
185.246.220.60 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://185.246.220.60/bugg/five/fre.php
|
13.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13056 |
2023-05-23 17:17
|
 2022_12_PO-note_page-0002.hta dada4c04af88637d79abfec8ed74e568VirusTotal Malware Check memory RWX flags setting unpack itself WriteConsoleW Tofsee Windows Discord DNS |
1
https://cdn.discordapp.com/attachments/1062280171790540840/1063090692613746718/aDTUAh4aJrmzMHA.exe
|
2
cdn.discordapp.com(162.159.133.233) - malware
162.159.129.233 - malware
|
3
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13057 |
2023-05-23 17:16
|
llillillillillilli%23%23%23%23... 05ec34c0d8db1ff6e5def9ab587dadc8
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
2
http://107.172.130.133/62/vbc.exe
http://107.172.130.133/e/cLItriJACP41.bin
|
1
107.172.130.133 - mailcious
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE Generic .bin download from Dotted Quad
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13058 |
2023-05-23 17:15
|
 ark.exe f40caeb8d127389627cf20e34c70b1ca
PWS .NET framework Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
api.ipify.org(104.237.62.211)
173.231.16.76
|
|
|
10.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13059 |
2023-05-23 17:06
|
File_pass1234.7z 59bdba4300a7d636830fa3ff631a8ed0
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee DNS |
4
http://www.maxmind.com/geoip/v2.1/city/me
http://85.208.136.10/api/tracemap.php - rule_id: 32662
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
|
10
api.db-ip.com(104.26.5.15)
db-ip.com(104.26.5.15)
ipinfo.io(34.117.59.81)
www.maxmind.com(104.17.214.67)
172.67.75.166
104.17.215.67
85.208.136.10 - mailcious
34.117.59.81
104.26.5.15
94.142.138.113 - mailcious
|
3
ET SCAN Potential VNC Scan 5900-5920
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
http://85.208.136.10/api/tracemap.php
|
4.6 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13060 |
2023-05-23 16:27
|
 nc.exe e0db1d3d47e312ef62e5b0c74dceafe5
PE File PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
1.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13061 |
2023-05-23 16:21
|
1.chm c63336057f756c711c594e8b59b0265f
Suspicious_Script_Bin AntiDebug AntiVM CHM Format VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger buffers extracted wscript.exe payload download Creates executable files RWX flags setting unpack itself suspicious process WriteConsoleW Tofsee Advertising Google ComputerName |
1
https://drive.google.com/uc?export=download&id=1Ovbe1se3Rh9WH1LYT1ob1ngpdtjJW1yF&confirm=t
|
2
drive.google.com(142.250.76.142) - mailcious
142.250.199.78
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13062 |
2023-05-23 16:20
|
 Tlye.js 89b80c721075ad721417cfd59d3ea52a
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
1
http://176.124.198.213/Fs8Py/7Jc5538ixH9
|
|
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13063 |
2023-05-23 16:20
|
 Shelsjg.js 2c0d2060097f624acccf5074ea80b16c
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
1
http://109.172.45.79/PlL4mU/wqhut1xLnC
|
|
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13064 |
2023-05-23 09:44
|
 llaa25.exe b44b3fd2f45d55238c7e11df70148a9f
Malicious Library Malicious Packer PE64 PE File VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
1.0 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13065 |
2023-05-23 09:39
|
 Inkmp.js 87bf8261360a2e4e9ba5941507cd03b5
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
1
http://176.124.198.212/s0A/664o6qvcej
|
|
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|